MITIGATING DDOS ATTACKS ON INTERNET PROTOCOL NETWORKS

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of, and priority to US Patent Appl. No. 19/224,345 titled “MITIGATING DDOS ATTACKS ON INTERNET PROTOCOL NETWORKS”, filed on 30 May 2025, which is a continuation-in-part of US Patent Appl. No. 18/626,273 titled “SYSTEMS AND METHODS FOR MITIGATING DDOS ATTACKS ON INTERNET PROTOCOL NETWORKS”, filed on 3 April 2024 which claims the benefit of US Provisional Appl. No. 63/456,533, titled “SYSTEM AND METHOD FOR MITIGATING DDOS ATTACKS ON INTERNAL PROTOCOL NETWORKS” filed on 3 April 2023. The specifications of which are incorporated herein by reference in their entirety.

BACKGROUND OF THE INVENTION

FIELD OF THE ART

The disclosure relates to the field of internet protocol (IP) technologies, and more particularly to relates to traffic redirection mechanisms to protect digital resources from distributed attacks.

Discussion of the State of the Art

Devices within the internet are uniquely identified by their IP address, either IPv4 or IPv6 addresses. Packets are routed by providing a more specific subnet of traffic and the gateway IP that processes them. Each routing point maintains its routing table of subnets and ‘next hops’. Public internets are routed typically by at least an IPV4/24 (i.e., 24 fixed bits, 8 bits variable) or IPV6/48 (i.e., 48 fixed bits, 64 variable).

Generally, services (server/resources) on the internet are accessed via a universal record locator (URL) which typically consists of a protocol and a string of names, in reverse hierarchical order. For example, “HTTP://WWW.CNN.COM” represents a request (via HTTP protocol) to the site ‘www.cnn.com’, where the ‘top-level domain’ (i.e.: “.com”) uses registrars to assign sub-domains to entities, recursively. Applications receive and send traffic on a server by listening and talking on specific ports, which for the most common protocols (TCP, UDP) are 16 bits (65535 values).

A common issue today is that bad actors can attack these internet services. For example, attackers may manipulate HTTP, GET, POST, and other unwanted HTTP requests to attack or overload, a victim server, service, or application resources. These attacks are often executed by an attack tool or tools designed to generate and send floods of “legitimate-looking” HTTP requests to the victim server. The content of such requests might be randomized, or pseudo-randomized, to emulate legitimate WEB client behavior and evade anti-DoS mitigation elements. Attacks are prevalent because the internet was designed to be open, and accessible, and historically focuses on how to find services, not how to protect services. Further, attacks are made easy by the fact that each service runs on a small number of servers, and those servers are resolved to a fixed known IP address and typically use only one, or a small range of ports for their applications. These attacks are referred to as Distributed Denial of Service (DDOS) attacks and are designed to overload network infrastructure, servers, or online applications and bring them down. Some attacks are very high volume, consuming all available bandwidth, while others use high-packet rates to exhaust and overwhelm firewall, or server resources. The result may be slow response times, or no response at all, preventing customers from using a website, online application, or service. These attacks target organizations of all types, large and small.

DDOS attacks can be somewhat mitigated with “Anycast” networking since attacking traffic may be routed to the ‘closest’ data center announcing that address and attack traffic may be divided between multiple data centers. However, attacking traffic must still be processed and filtered either by the application or the use of a firewall or other security device, something that consumes expensive resources. This costs additional money, and if the attack is large enough and focused enough, can still disrupt the service. Further, existing DDOS detection and mitigation mechanisms such as rate-liming, filtering, trend observation, threshold detection, detection and rerouting, and black holing of traffic may not always be successful in identifying and blocking malicious attacks effectively, or in a timely manner.

Hence, there is a need for cost-effective systems and methods for protecting network resources from DDOS attacks and other access-inhibiting events.

SUMMARY OF THE INVENTION

Accordingly, the inventor has conceived and reduced to practice, in a preferred embodiment of the invention, a proxy gateway between or otherwise among a source and a digital resource wherein the proxy gateway announces an IP subnet and receives a first IP packet from the source, wherein several bits of a hash result are installed into a bit set of the first IP packet but not to all IP packets, and wherein the proxy gateway provides access to the digital resource to the first IP packet but not to IP packets that don’t include such hash result bits. This can occur, for example, in a context in which the hash result was generated by encrypting a secret and a digital identifier of the source and in which a mapping to the digital resource is shared by (at least) a redirect protocol and the proxy gateway.

According to a preferred embodiment of the invention, some variants described herein relate to a method, computer program product, or other modality by a mapping is established that associates a resource with (at least some) network traffic addressed directly to or otherwise destined to an IP subnet and by which a proxy gateway receives a particular IP packet thereof. A hash result is directly or otherwise obtained as an encryption or other transformation of data that includes a digital identifier of a source of the IP packet wherein one or more bits of the hash result are directly or indirectly compared with a corresponding bit set of the IP packet as a mode of validation. The proxy gateway responds conditionally to a matching compare result and by giving the IP packet access to the resource, such as by modifying part of the bit set of the IP packet so as to cause the IP packet to be redirected to the resource.

The foregoing summary is illustrative only and is not intended to be in any way limiting. Features from any of the disclosed embodiments can be used in combination with one another, without limitation.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

The accompanying drawings illustrate several embodiments of the invention and, together with the description, serve to explain the principles of the invention according to the embodiments. It will be appreciated by one skilled in the art that the particular embodiments illustrated in the drawings are merely exemplary, and are not to be considered as limiting of the scope of the invention or the claims herein in any way.

FIG. 1 is a block diagram illustrating an exemplary hardware architecture of a computing device that may include or facilitate one or more technologies described herein.

FIG. 2 is a block diagram illustrating an exemplary logical architecture for a source that may include or facilitate one or more technologies described herein, optionally configured to interact with the device of FIG. 1.

FIG. 3 is a block diagram showing an exemplary architectural arrangement of clients, servers, external services, or other systems that may include or facilitate one or more technologies described herein.

FIG. 4 is another block diagram illustrating an exemplary hardware architecture of a computing device that may interact with or otherwise facilitate one or more technologies described herein, optionally configured to instantiate the device of FIGS. 1or2.

FIG. 5 is a block diagram of a computing system or other environment for encrypted redirection of IP traffic to a server or other resource (directly or otherwise) connected to a network that may be protected by or otherwise interact with one or more technologies described herein.

FIG. 6 is an example block diagram of a system that interfaces with one or more IP networks in which a proxy gateway 506 redirects IP traffic from a source to a resource using IP subnet addressing, according to one or more technologies described herein, optionally configured to interact with or instantiate the systems of FIGS. 3 or 5 (or both).

FIG. 7 is a flow diagram illustrating a method for encrypted redirection of IP traffic from clients in public IP subnets, according to one or more technologies described herein.

FIG. 8 is a sequence diagram illustrating the interaction between various components to redirect encrypted IP traffic to servers or other resources via IP subnets in a stateless mapping, according to one or more technologies described herein.

FIG. 9 illustrates an exemplary IP network for extending the encoding bit space available, according to one or more technologies described herein.

FIG. 10 illustrates one or more systems that interact with one or more remote facilities via one or more networks that can connect with one or more resources protected according to one or more technologies described herein, optionally configured to interact with or instantiate a system of FIGS. 3, 5, or 6.

DETAILED DESCRIPTION

The inventor has conceived, and reduced to practice, systems and methods to protect resources from DDOS attacks and other access-inhibiting events. In some variants a proxy gateway 506 hides a server or other resource using IP subnet addressing and receives authenticated IP packets. A checksum or other security hash is generated and destination IP packets address/ports are encrypted using a secret, protocol, client IP address, resource IP address, port, or combination of these. The cryptographic hash and destination server are mapped into existing IP packet addresses, ports, or payload bits. The IP packets are routed to a redirect node in the public IP subnet of the proxy gateway 506. At the redirected node, the cryptographic hash is validated and the resource IP address and the port are extracted from mapping. Redirect node maps the clients public IP/port to an internal IP address and port associated with the resource, and tunnels the IP packets from the redirect node to the resource using the internal IP address and port.

One or more different inventions may be described in the present application. Further, for one or more of the inventions described herein, many variant embodiments may be described; it should be appreciated that these are presented for illustrative purposes only and are not limiting of the inventions contained herein or the claims presented herein in any way. One or more of the inventions may be widely applicable to many embodiments, as may be readily apparent from the disclosure. In general, embodiments are described in sufficient detail to enable those skilled in the art to practice one or more of the inventions, and it should be appreciated that other embodiments may be utilized and that structural, logical, software, electrical, and other changes may be made without departing from the scope of the particular inventions. Accordingly, one skilled in the art will recognize that one or more of the inventions may be practiced with various modifications and alterations.

Particular features of one or more of the inventions described herein may be described with reference to one or more particular embodiments or figures that form a part of the present disclosure, and in which are shown, by way of illustration, specific embodiments of one or more of the inventions. It should be appreciated, however, that such features are not limited to usage in one or more embodiments or figures with reference to which they are described. The present disclosure is neither a literal description of all embodiments of one or more of the inventions nor a listing of features of one or more of the inventions that must be present in all embodiments.

Headings of sections provided in this patent application and the title of this patent application are for convenience only and are not to be taken as limiting the disclosure in any way.

Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise. In addition, devices that are in communication with each other may communicate directly or indirectly through one or more communication means or intermediaries, logical or physical.

A description of an embodiment with several components in communication with each other does not imply that all such components are required. To the contrary, a variety of optional components may be described to illustrate a wide variety of possible embodiments of one or more of the inventions and to fully illustrate one or more aspects of the inventions. Similarly, although process steps, method steps, protocols or the like may be described in sequential order, such processes, methods, and protocols may generally be configured to work in alternate orders, unless specifically stated to the contrary. In other words, any sequence or order of steps that may be described in this patent application does not, in and of itself, indicate a requirement that the steps be performed in that order. The steps of described processes may be performed in any order practical. Further, some steps may be performed simultaneously despite being described or implied as occurring non-simultaneously (e.g., because one step is described after the other step). Moreover, the illustration of a process by its depiction in a drawing does not imply that the illustrated process is exclusive of other variations and modifications thereto, does not imply that the illustrated process or any of its steps are necessary to one or more of the inventions(s), and does not imply that the illustrated process is preferred. Also, steps are generally described once per embodiment, but this does not mean they must occur once, or that they may only occur once each time a process, method, or protocol is carried out or executed. Some steps may be omitted in some embodiments or some occurrences, or some steps may be executed more than once in a given embodiment or occurrence.

When a single device or article is described herein, it will be readily apparent that more than one device or article may be used in place of a single device or article. Similarly, where more than one device or article is described herein, it will be readily apparent that a single device or article may be used in place of more than one device or article.

The functionality or features of a device may be alternatively embodied by one or more other devices that are not explicitly described as having such functionality or features. Thus, other embodiments of one or more of the inventions need not include the device itself.

Techniques and mechanisms described or referenced herein will sometimes be described in singular form for clarity. However, it should be appreciated that few embodiments may include multiple iterations of a technique or multiple instantiations of a mechanism unless noted otherwise. Process descriptions or blocks in figures should be understood as representing modules, segments, or portions of code that include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of embodiments of the present invention in which, for example, functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those having ordinary skill in the art.

The detailed description that follows is represented largely in terms of processes and symbolic representations of operations by conventional computer components, including a processor, memory storage devices for the processor, connected display devices, and input devices. Furthermore, some of these processes and operations may utilize conventional computer components in a heterogeneous distributed computing environment, including remote file servers, computer servers, and memory storage devices.

It is intended that the terminology used in the description presented below be interpreted in its broadest reasonable manner, even though it is being used in conjunction with a detailed description of certain example embodiments. Although certain terms may be emphasized below, any terminology intended to be interpreted in any restricted manner will be overtly and specifically defined as such.

The phrases “in one embodiment,” “in various embodiments,” “in some embodiments,” and the like are used repeatedly. Such phrases do not necessarily refer to the same embodiment. The terms “comprising,” “having,” and “including” are synonymous, unless the context dictates otherwise.

“Above,” “after,” “announced,” “authenticated,” “automatic,” “borne,” “caused,” “conditional,” “configured,” “encrypted,” “first,” “hashing,” “herein,” “incoming,” “ineffectual,” “installed,” “internal,” “known-offset,” “nonvolatile,” “of,” “programmatic,” “proxied,” “redirected,” “rendered,” “selective,” “shared,” “substitution,” “tangible,” “to,” “transistor-based,” “valid,” “via,” “wherein,” “without,” or other such descriptors herein are used in their normal yes-or-no sense, not merely as terms of degree, unless context dictates otherwise. In light of the present disclosure, those skilled in the art will understand from context what is meant by “remote” and by other such positional descriptors used herein. Likewise, they will understand what is meant by “partly based” or other such descriptions of dependent computational variables/signals. “Numerous” as used herein refers to more than two dozen unless context dictates otherwise. “Immediate” as used herein refers to having a duration of less than 5 seconds unless context dictates otherwise. Circuitry is “invoked” as used herein if it is called on to undergo voltage state transitions so that digital signals are transmitted therefrom or therethrough unless context dictates otherwise. Software is “invoked” as used herein if it is executed/triggered unless context dictates otherwise. One number is “on the order” of another if they differ by less than an order of magnitude (i.e., by less than a factor of ten) unless context dictates otherwise. As used herein “causing” is not limited to a proximate cause but also enabling, conjoining, or other actual causes of an event or phenomenon. “Instances” of an item may or may not be identical or similar to each other, as used herein.

Terms like “processor,” “center,” “unit,” “computer,” or other such descriptors herein are used in their normal sense, in reference to an inanimate structure. Such terms do not include any people, irrespective of their location or employment or other association with the thing described, unless context dictates otherwise. “For” is not used to articulate a mere intended purpose in phrases like “circuitry for” or “instruction for,” moreover, but is used normally, in descriptively identifying special purpose software or structures. In the context of IP networks "public" refers to a port or IP address that is globally unique and directly accessible over the internet, meaning it can be used to communicate with devices on other networks. A "public” subnet refers to one or more ranges of IP addresses assigned by a governing body that are directly accessible from the internet, meaning devices within that subnet can generally communicate with the public internet without needing a special translation mechanism like a NAT (Network Address Translation). Some network objects are described herein as “internal,” moreover, signaling that that may be private, blocked, scrambled, repurposed, semi-private, or otherwise in need of a NAT or other non-universal access mode, unless context dictates otherwise.

Reference is now made in detail to the description of the embodiments as illustrated in the drawings. While embodiments are described in connection with the drawings and related descriptions, there is no intent to limit the scope to the embodiments disclosed herein. On the contrary, the intent is to cover all alternatives, modifications and equivalents. In some embodiments, additional devices, or combinations of illustrated devices, may be added to, or combined, without limiting the scope to the embodiments disclosed herein.

In the interest of concision and according to standard usage in information management technologies, the functional attributes of modules described herein are set forth in natural language expressions. It will be understood by those skilled in the art that such expressions (functions or acts recited in English, e.g.) adequately describe structures identified below so that no undue experimentation will be required for their implementation. For example, any session metadata or other informational data identified herein may be represented digitally as a voltage configuration on one or more electrical nodes (conductive pads of an integrated circuit, e.g.) of an event-sequencing structure without any undue experimentation. Each electrical node is highly conductive, having a corresponding nominal voltage level that is spatially uniform generally throughout the node (within a device or local system as described herein, e.g.) at relevant times (at clock transitions, e.g.). Such nodes (lines on an integrated circuit or circuit board, e.g.) may each comprise a forked or other signal path adjacent one or more transistors. Moreover, many Boolean values (yes-or-no decisions, e.g.) may each be manifested as either a “low” or “high” voltage, for example, according to a complementary metal-oxide-semiconductor (CMOS), emitter-coupled logic (ECL), or other common semiconductor configuration protocol. In some contexts, for example, one skilled in the art will recognize an “electrical node set” as used herein in reference to one or more electrically conductive nodes upon which a voltage configuration (of one voltage at each node, for example, with each voltage characterized as either high or low) manifests a yes/no decision or other digital data.

Hardware Architecture

Generally, the techniques disclosed herein may be implemented on hardware or a combination of software and hardware. For example, they may be implemented in an operating system kernel, in a separate user process, in a library package bound into network applications, on a specially constructed machine, on an application-specific integrated circuit (ASIC), or on a network interface card.

Software/hardware hybrid implementations of at least some of the embodiments disclosed herein may be implemented on a programmable network-resident machine (which should be understood to include intermittently connected network-aware machines) selectively activated or reconfigured by a computer program stored in memory. Such network devices may have multiple network interfaces that may be configured or designed to utilize different types of network communication protocols. A general architecture for some of these machines may be described herein in order to illustrate one or more exemplary means by which a given unit of functionality may be implemented. According to specific embodiments, at least some of the features or functionalities of the various embodiments disclosed herein may be implemented on one or more general-purpose computers associated with one or more networks, such as for example an end-user computer system, a client computer, a network server or other server system, a mobile computing device (e.g., tablet computing device, mobile phone, smartphone, laptop, or other appropriate computing device), a consumer electronic device, a music player, or any other suitable electronic device, router, switch, or other suitable device, or any combination thereof. In at least some embodiments, at least some of the features or functionalities of the various embodiments disclosed herein may be implemented in one or more virtualized computing environments (e.g., network computing clouds, virtual machines hosted on one or more physical computing machines, or other appropriate virtual environments).

Referring now to FIG. 1, there is shown a block diagram depicting an exemplary computing device 100 suitable for implementing at least a portion of the features or functionalities disclosed herein. Computing device 100 may be, for example, any one of the computing machines listed in the previous paragraph, or indeed any other electronic device capable of executing software- or hardware-based instructions according to one or more programs stored in memory. Computing device 100 may be adapted to communicate with a plurality of other computing devices, such as clients or servers, over communications networks such as a wide area network a metropolitan area network, a local area network, a wireless network, the Internet, or any other network, using known protocols for such communication, whether wireless or wired.

In one embodiment, computing device 100 includes one or more central processing units (CPU) 102, one or more interfaces 110, and one or more busses 106 (such as a peripheral component interconnect (PCI) bus). When acting under the control of appropriate software or firmware, CPU 102 may be responsible for implementing specific functions associated with the functions of a specifically configured computing device or machine. For example, in at least one embodiment, a computing device 100 may be configured or designed to function as a server system utilizing CPU 102, local storage 101 and/or remote storage 120, and interface(s) 110. In at least one embodiment, CPU 102 may be caused to perform one or more of the different types of functions and/or operations under the control of software modules or components, which for example, may include an operating system and any appropriate applications software, drivers, and the like.

CPU 102 may include one or more processors 113 such as, for example, a processor from one of the Intel, ARM, Qualcomm, and AMD families of microprocessors. In some embodiments, processors 113 may include specially designed hardware such as application-specific integrated circuits (ASICs), electrically erasable programmable read-only memories (EEPROMs), field-programmable gate arrays (FPGAs), and so forth, for controlling operations of computing device 100. In a specific embodiment, a local memory 101 (such as non-volatile random-access memory (RAM) and/or read-only memory (ROM), including for example one or more levels of cached memory) may also form part of CPU 102. However, there are many ways in which memory may be coupled to device 100. Memory 101 may be used for a variety of purposes such as, for example, caching and/or storing data, programming instructions, and the like. It should be further appreciated that CPU 102 may be one of a variety of system-on-a-chip (SOC) type hardware that may include additional hardware such as memory or graphics processing chips, such as a Qualcomm SNAPDRAGON™ or Samsung EXYNOS™ CPU as are becoming increasingly common in the art, such as for use in mobile devices or integrated devices.

As used herein, the term “processor” is not limited merely to those integrated circuits referred to in the art as a processor, a mobile processor, or a microprocessor, but broadly refers to a microcontroller, a microcomputer, a programmable logic controller, an application-specific integrated circuit, and any other programmable circuit.

In some variants interfaces 110 are provided as network interface cards (NICs). Generally, NICs control the sending and receiving of data packets over a computer network; other types of interfaces 110 may for example support other peripherals used with computing device 100. Among the interfaces that may be provided are Ethernet interfaces, InfiniBand, frame relay interfaces, cable interfaces, DSL interfaces, token ring interfaces, graphics interfaces, and the like. In addition, various types of interfaces may be provided such as, for example, universal serial bus (USB), Serial, Ethernet, FIREWIRE™, THUNDERBOLT™, PCI, parallel, radio frequency (RF), BLUETOOTH™, near-field communications (e.g., using near-field magnetics), 802.11 (Wi-Fi), frame relay, TCP/IP, ISDN, fast Ethernet interfaces, Gigabit Ethernet interfaces, Serial ATA (SATA) or external SATA (ESATA) interfaces, high-definition multimedia interface (HDMI), digital visual interface (DVI), analog or digital audio interfaces, asynchronous transfer mode (ATM) interfaces, high-speed serial interface (HSSI) interfaces, Point of Sale (POS) interfaces, fiber data distributed interfaces (FDDIs), and the like. Generally, such interfaces 110 may include physical ports appropriate for communication with appropriate media. In some cases, they may also include an independent processor (such as a dedicated audio or video processor, as is common in the art for high-fidelity A/V hardware interfaces) and, in some instances, volatile and/or non-volatile memory (e.g., RAM).

Although the system shown in FIG. 1 illustrates one specific architecture for a computing device 100 for implementing one or more of the inventions described herein, it is by no means the only device architecture on which at least a portion of the features and techniques described herein may be implemented. For example, architectures having one or any number of processors 113 may be used, and such processors 113 may be present in a single device or distributed among any number of devices. In one embodiment, a single processor 113 handles communications as well as routing computations, while in other embodiments a separate dedicated communications processor may be provided. In various embodiments, different types of features or functionalities may be implemented in a system according to the invention that includes a source (such as a tablet device or smartphone running client software) and server systems (such as a server system described in more detail below).

Regardless of network device configuration, the system of the present invention may employ one or more memories or memory modules (such as, for example, remote memory block 120 and local memory 101) configured to store data, program instructions for the general-purpose network operations, or other information relating to the functionality of the embodiments described herein (or any combinations of the above). Program instructions may control the execution of or comprise an operating system and/or one or more applications, for example. Memory 120 or memories 101, 120 may also be configured to store data structures, configuration data, encryption data, historical system operations information, or any other specific or generic non-program information described herein.

Because such information and program instructions may be employed to implement one or more systems or methods described herein, at least some network device embodiments may include non-transitory machine-readable storage media, which, for example, may be configured or designed to store program instructions, state information, and the like for performing various operations described herein. Examples of such non-transitory machine-readable storage media include, but are not limited to, magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROM disks; magneto-optical media such as optical disks, and hardware devices that are specially configured to store and perform program instructions, such as read-only memory devices (ROM), flash memory (as is common in mobile devices and integrated systems), solid state drives (SSD) and “hybrid SSD” storage drives that may combine physical components of solid state and hard disk drives in a single hardware device (as are becoming increasingly common in the art with regard to personal computers), memristor memory, random access memory (RAM), and the like. It should be appreciated that such storage means may be integral and non-removable (such as RAM hardware modules that may be soldered onto a motherboard or otherwise integrated into an electronic device), or they may be removable such as swappable flash memory modules (such as “thumb drives” or other removable media designed for rapidly exchanging physical storage devices), “hot-swappable” hard disk drives or solid-state drives, removable optical storage discs, or other such removable media, and that such integral and removable storage media may be utilized interchangeably. Examples of program instructions include both object code, such as may be produced by a compiler, machine code, such as may be produced by an assembler or a linker, byte code, such as may be generated by for example a Java™ compiler and may be executed using a Java virtual machine or equivalent, or files containing higher level code that may be executed by the computer using an interpreter (for example, scripts written in Python, Perl, Ruby, Groovy, or any other scripting language).

In some embodiments, systems according to the present invention may be implemented on a standalone computing system. Referring now to FIG. 2, there is shown a block diagram depicting a typical exemplary architecture of one or more embodiments or components thereof on a standalone computing system. Computing device 200 includes processors 210 that may run software that carry out one or more functions or applications of embodiments of the invention, such as, for example, a client application 230. Processors 210 may carry out computing instructions under the control of an operating system 220 such as, for example, a version of Microsoft's WINDOWS™ operating system, Apple's Mac OS/X or iOS operating systems, some variety of the Linux operating system, Google's ANDROID™ operating system, or the like. In many cases, one or more shared services 225 may be operable in system 200 and may be useful for providing common services to client applications 230. Shared services 225 may for example be WINDOWS™ services, user-space common services in a Linux environment, or any other type of common service architecture used with operating system 220. Input devices 270 may be of any type suitable for receiving user input, including for example a keyboard, touchscreen, microphone (for example, for voice input), mouse, touchpad, trackball, or any combination thereof. Output devices 260 may be of any type suitable for providing output to one or more users, whether remote or local to system 200, and may include for example one or more screens for visual output, speakers, printers, or any combination thereof. Memory 240 may be random-access memory having any structure and architecture known in the art, for use by processors 210, for example to run software. Storage devices 250 may be any magnetic, optical, mechanical, memristor, or electrical storage device for storage of data in digital form (such as those described above, referring to FIG. 1). Examples of storage devices 250 include flash memory, magnetic hard drive, CD-ROM, and/or the like.

In some embodiments, systems of the present invention may be implemented on a distributed computing network, such as one having any number of clients and/or servers. Referring now to FIG. 3, there is shown a block diagram depicting an exemplary architecture for implementing at least a portion of a system 300 according to one or more variants of the invention on a distributed computing network. According to the embodiment, any number of clients 330 may be provided. Each client 330 may run software for implementing client-side portions of the present invention; clients may comprise a system 200 such as that illustrated in FIG. 2. In addition, any number of servers 320 may be provided for handling requests received from one or more clients 330. Clients 330 and servers 320 may communicate with one another via one or more electronic networks 310, which may be in various embodiments any of the Internet, a wide area network, a mobile telephony network (such as CDMA or GSM cellular networks), a wireless network (such as Wi-Fi, WiMAX, LTE, and so forth), or a local area network (or indeed any network topology known in the art; the invention does not prefer any one network topology over any other). Networks 310 may be implemented using any known network protocols, including for example wired and/or wireless protocols.

In addition, in some embodiments, servers 320 may call external services 370 when needed to obtain additional information, or to refer to additional data concerning a particular call. Communications with external services 370 may take place, for example, via one or more networks 310. In various embodiments, external services 370 may comprise web-enabled services or functionality related to or installed on the hardware device itself. For example, in variants where client applications 230 are implemented on a smartphone or other electronic device, client applications 230 may obtain information stored in a server system 320 in the cloud or on an external service 370 deployed on one or more of a particular enterprises or user's premise.

In some embodiments of the invention, clients 330 or servers 320 (or both) may make use of one or more specialized services or appliances that may be deployed locally or remotely across one or more networks 310. For example, one or more databases 340 may be used or referred to by one or more embodiments of the invention. It should be understood by one having ordinary skill in the art that databases 340 may be arranged in a wide variety of architectures and using a wide variety of data access and manipulation means. For example, in various embodiments, one or more databases 340 may comprise a relational database system using a structured query language (SQL), while others may comprise an alternative data storage technology such as those referred to in the art as “NoSQL” (for example, Hadoop Cassandra, Google Bigtable, and so forth). In some embodiments, variant database architectures such as column-oriented databases, in-memory databases, clustered databases, distributed databases, or even flat file data repositories may be used according to the invention. It will be appreciated by one having ordinary skill in the art that any combination of known or future database technologies may be used as appropriate unless a specific database technology or a specific arrangement of components is specified for a particular embodiment herein. Moreover, it should be appreciated that the term “database” as used herein may refer to a physical database machine, a cluster of machines acting as a single database system, or a logical database within an overall database management system. Unless a specific meaning is specified for a given use of the term “database”, it should be construed to mean any of these senses of the word, all of which are understood as a plain meaning of the term “database” by those having ordinary skill in the art.

Similarly, most embodiments of the invention may make use of one or more security systems 360 and configuration systems 350. Security and configuration management are common information technology (IT) and web functions, and some amount of each is generally associated with any IT or web systems. It should be understood by one having ordinary skill in the art that any configuration or security subsystems known in the art now or in the future may be used in conjunction with embodiments of the invention without limitation unless a specific security or configuration system 350, 360 or approach is specifically required by the description of any specific embodiment.

FIG. 4 shows an exemplary overview of a computer device 400 as may be used in any of the various locations throughout systems described herein. It is exemplary of any computer that may execute code or otherwise handle data as described herein. Various modifications and changes may be made to computer system 400 without departing from the broader spirit and scope of the system and method disclosed herein. CPU 401 is connected to bus 402, to which bus is also connected memory 403, nonvolatile memory 404, display 407, I/O unit 408, and network interface card (NIC) 413. I/O unit 408 may, typically, be connected to keyboard 409, pointing device 410, hard disk 412, and real-time clock 411. NIC 413 connects to network 310, which may be the Internet or a local network, which local network may or may not have connections to the Internet. Also shown as part of system 400 is power supply unit 405 connected, in this example, to AC supply 406. Not shown are batteries that could be present, and many other devices and modifications that are well known but do not apply to the specific novel functions of the current system and method disclosed herein. It should be appreciated that some or all components illustrated may be combined, such as in various integrated applications (for example, Qualcomm or Samsung SOC-based devices), or whenever it may be appropriate to combine multiple capabilities or functions into a single hardware device (for instance, in mobile devices such as smartphones, video game consoles, in-vehicle computer systems such as navigation or multimedia systems in automobiles, or other integrated hardware devices).

In various embodiments, functionality for implementing systems or methods of the present invention may be distributed among any number of client and/or server components. For example, various software modules may be implemented for performing various functions in connection with the present invention, and such modules may be variously implemented to run on server and/or client components.

Conceptual Architecture

FIG. 5 is a block diagram of a computing environment 500 for encrypted redirection of IP traffic to a network-connected resource 508, according to an embodiment of the invention. HTTP requests from a client device 502 or other request source may reach a Content Delivery Network (CDN) 510 that performs dynamic request routing using the Internet's Domain Name System (DNS) server 504.

DNS server 504 may be a distributed directory whose primary role may be to map fully qualified domain names to IP addresses. To determine the IP address, a request source sends a request to DNS server 504. In response, the source may receive a CDN-based address to retrieve the landing page/authentication code. CDN server 504 initiates the authentication of the source. CDN server 510 may authenticate the source using tokens, cookies, auth exchange, and client certificates. During operation, successful authentication results in the redirection of traffic from the source to proxy gateway 506.

In some embodiments, proxy gateway 506 may be a router that accepts an entire IP subnet of traffic. The IP subnet may be announced to the public. IP traffic may be routed via IPv4 or IPv6. In the case of IPV4, an entire subnet may be announced, which for IPV4 must be at least/24 (256 IP addresses) and for IPV6/48 (2{circumflex over ( )}80 IP addresses). In the case of IPV4, with IP subnet addressing 256 servers (redirect nodes) may be announced to accept encrypted IP packets. In some cases, proxy gateway 506 may configure multiple servers using Equal-cost multi-path routing (ECMP) with identical IP addresses to route IP traffic to the resource 508. This IP address subnetting can help in protecting resource 508 from DDOS attacks or similar performance-degrading impairments. The use of subnet mappings means that traffic can be steered through protocols such as Border Gateway Protocol (BGP) and ECMP. Externally, only IPV4/24, IPv6/48, or larger networks are reroutable via external public BGP. Internally, BGP can be used to split and shift traffic as required. GP routing may be used for redundancy and load distribution.

In some embodiments, proxy gateway 506 includes one or more processors 513, memory 514, a cryptographic encryptor 515, a secret key 516, and mappings 517. In some cases, proxy gateway 506 may be configured to perform encrypted redirection of authenticated client IP traffic. In some variants the routing of the client IP traffic to resource 508 may be performed by processor 513 using instructions stored in the memory 514 of proxy gateway 506. In some cases, cryptographic encryptor 515 may combine the source client IP address, protocol, secret key 516, and a server IP address and port to create a cryptographic hash unique to the source.

In an embodiment, cryptographic encryptor 515 uses hashing protocols to protect the destination IP address and port. The protocols used may include but are not limited to, SHA variants, CRC-32, and Murmur3. In some cases, secret key 516 may also be referred to as a private key may be typically a long, randomly, or pseudo-randomly generated sequence of bits that cannot be easily guessed. A complex private key may be used to prevent attackers from guessing the key.

The cryptographic hash may be then mapped into existing IP packet addresses, ports, or payload bits. IPV4/24 address has eight bits of address and 16 bits of ports. When additional bits are required, and the client supports it, encrypted bits can be placed into other embedded payload protocols (like VLAN space, or VXLAN space) that can hold additional bits. The use of bit space in the subnet, plus the port, plus any additional agreed space reduces the probability (zero to minimal) of random traffic finding service. Additional checksums may be added if there is additional bit space to store them. Since each packet can be computed independently of all other packets, this solution scales linearly with processor cores.

Multiple mappings 517 can be created that allow different clients to connect with resource 508 via different redirect nodes 512. Multiple mappings 517 can exist for the same server/service. Multiple mappings 517 can exist on the same network at the same time and each mapping may be defined by a different key, or applicable start-end validity times. Mappings 517 are created for each connection between a redirect node (i.e. routable public subnet address) and resource 508 for routing of IP traffic from the source. Mappings 517 may be created, modified, and deleted through a secured Application Programming Interface (API), and distributed to redirect nodes 512 in the IP subnet.

In an embodiment, encrypted IP packets from the proxy gateway 506 are randomized using redirect node 512 in the IP subnet. The random IP subnet address and random port may be associated with a redirect node 512A.

In an embodiment, multiple redirect nodes 512A, 512B . . . 512N (collectively referred to as redirect nodes 512) may be a real server, or can simply represent vCPUs and are implemented easily using hardware or low-level networking. Redirect nodes 512 may be configured to manage different public IP subnets, or different mappings 517 on the same IP subnet. In some variants redirect nodes 512 (software and hardware nodes) can share loads, with hardware available for larger attacks, and software available to handle small attacks. In an example, a single vCPU processes about 1 Mpps, and may be scalable linearly across vCMP cores. Ampere 80 vCPU on Equinix Metal has 50 Gbps of a network, up to 50 M pps (est), at $1800.00/month Single Achronix card processes up to 6×100 Gbps, up to 700M pps, at $25,000 per month Up to 4×Achronix VectorPath per 1 U, 42 U per rack=100 Tbps, 10 racks=1 Pctabit/s.

In an embodiment, redirect nodes 512 may include mappings 517. Mappings 517 may be received from proxy gateway 506 at all the redirect nodes 512. For case of explanation, IP packets received at redirect node 512A are described. At redirect node 512A, received IP packets are decrypted and the source are validated based on the protocol used for encryption and secret key 516. In addition to performing validation redirect nodes 512 may incorporate additional filters such as rate limiting or maintaining a whitelist and/or a blacklist.

In an embodiment, during operation, redirect nodes 512 may be configured to decrypt and determine the IP address of each resource 508 and its port from the encrypted IP packets, or specified in mappings 517. Mappings 517 may have a server IP/port, in which case no data bits are required. However, we can reserve some bits for incremental IP addresses or ports. For example, mappings 517 may state that resource 508 is 10.1.2.3, and mappings 517 may state that last two bits are for incrementing, then they would not store the encrypted randomized value, not be checked, but just used for accessing server 10.1.2.4/5/6/7, same for ports, if the default port is 443 in the mapping, then two bits reserved for incremental ports would decode to ports 444/445/446/447. Mappings 517 may further include an ‘gateway IP’ that resource 508 may use to reply, or send outbound packets. This allows reverse mapping of outgoing packets.

Redirect node 512 may be configured to route the IP traffic to resource 508 by mapping the client IP packets to an internal client IP address and port associated with resource 508. Traffic may be tunneled via the internal client IP address and port to resource 508 via the mapping of the internal client IP/port to the client public IP/port.

In an embodiment, redirect node 512 may be implemented on a Network Interface Card (NIC), Data Processing unit (DPU), Network Processing Unit (NPU), FPGA, or CPU. Further, implementation on CPU can be done at low level such as eBPF on XDP, before traffic reaches the OS. Also, this protocol is self-contained so it can be implemented directly on firewall and other network security appliances, including P4 or NPL programmable switch logic.

In an embodiment, resource 508 may comprise a server that is hosting the protected services. Resource 508 may not be directly accessible to sources except through redirection via redirect nodes 512 in the IP subnet. As resource 508 is hidden via a random cryptographic location in public IP subnets, it provides additional protection from random DDOS traffic immediately. Sources have no public access to the resource 508.

During operation, any requests for non-existent services, IP addresses, or ports are flagged/logged by redirect nodes 512. In some cases, the source may be flagged for inappropriate access and the customer account may be disabled/redirected. Any attacks to the mapped IP/port of a redirect node are tied to a source, so it may be harder to hide. Further, these violations may be reported to authentication mechanism to limit/prevent additional authentications, and redirects.

In an embodiment, redirect nodes 512 may support both stateless and stateful configurations. The stateless configuration benefits from scalability, and the stateful configuration is useful for fine-grained protection. Mappings are for all connections between an external subnet and resource 508.

Mapping 517 maintained by redirected nodes 512 that support stateless configuration may be referred to as stateless mapping. Stateless configuration allows traffic to be spread across multiple redirect nodes 512. When the processing is stateless, no reconnection is required, subnet addressing is used to map the IP traffic to redirect nodes 512, and then IP traffic may be routed to a service node (e.g. a network-connected resource 508). A service admin may provision different mappings 517 and rotate through the mappings to ensure that previous sources are disconnected. The use of multiple overlapping mappings on the same IP subnet ensures that previous connections are reset. Further, stateless mapping can be rotated to invalidate any abusers including preset, and/or overlapping mappings in the same space.

Using stateless configuration, there may be a single entry per client, irrespective of number of clients. Hence, the IP subnetting-based solution can be scaled infinitely to terabits, petabits, exabits, and beyond when combined with BGP and EMCP. In the case of stateless mapping, a redirect node may also be withdrawn in case of failure or overload. The impacted traffic received at the withdrawn node may be rerouted and serviced by a different redirect node in the IP subnet.

In the case of stateful configuration, IP traffic from clients is still pushed out to multiple stateless redirect nodes 512. This stateful mapping/implementation may be targeted at online gaming/gambling/financial services. Since users must pass the stateless check, the traffic tunneled to stateful server 514 should not include random traffic, and excessive or abusive traffic can be eliminated by adding a blacklist before performing stateful operations.

At the redirect node 512, IP packets that do not pass the hash check are filtered, but IP packets that pass the hash test are tunneled to a central single stateful server 514. Stateful server 514 records the client IP address and port before routing the IP traffic to an intended resource 508. The stateful server 514 may be configured directly by the service admin using an API. The service admin can ‘create’ secure ‘rooms’ or ‘bubbles’.

Referring now to FIG. 10, when the first IP packet 1017As arrive, optionally, the client port may be recorded and lock that client to that slot or seat. If the client is eliminated, the service admin can eliminate that client's IP (and port) from the ‘room’, and then the client has no network access to the room. The client still has the valid IP/port for the duration of the mapping, which will allow those packets to traverse the edge nodes, but they will be dropped on stateful server 514 before interfering with the remaining active clients in the room. The service admin can remove a client from a room, or delete a room with an API call. The advantage is that the mapping that is pushed to all the edge nodes does not change. In an example, a service admin was operating an online poker game, the ‘room’ would be created by API, clients' IPs would be added by API, and the clients redirected to the mapping public IP subnet.

In addition to gaming and financial servers, the use of IP subnet-based addressing (redirect nodes 512) may be used for OpenVPN using which customers are connecting to corporate networks, this allows the actual ingress to the corporate network to be harder to locate and attack. This also allows customers who may be struggling with unique IP addresses to repurpose thousands more devices into legacy IP address space.

FIG. 6 is an example block diagram of a system 600 that interfaces with one or more IP networks 310 in which a proxy gateway 506 redirects IP traffic from a source to a resource 508 using IP subnet addressing, according to one or more technologies described herein, optionally configured to interact with or instantiate the systems of FIGS. 3 or 5 (or both). Proxy gateway 506 may be used for announcing the IP subnet 123.45.0.0/16. When the public subnet is IPV4: 123.45.0.0/16, there are 16 IP bits and 16 UDP/TCP port bits to utilize. IPV4 offers limited bit space, however, with IPV6, /48 networks can be announced, which allows 80 bits in IPV6 space, plus those 16 bits in UDP/TCP port space. Hence, it would be possible to use 8 bits, and provision a mapping to ISP1, use another 8 bits and provision to ISP2, and so on, and still use remainder for the end node.

Today, ISPs use FlowSpec to allow a customer to invoke Remote triggered blackhole (RTBH) routing, we can use the same mechanism to push the public IP of the mapping, plus all the mapping attributes. The ISP can then route traffic to their nodes to perform the filtering as per the mapping.

In FIG. 6, there are three redirect nodes 512A, 512B, and 512C. The first two redirect nodes 512A and 512B may be software nodes announcing IPV4/17 subnets and redirect node 512C may be a hardware node announcing IPV4/16 subnets. This type of IP subnet addressing may allow half of the random traffic to go to redirect node 512A and the other half of random traffic may flow to redirect node 512B. The third redirect node 512C does not process random IP traffic usually. During operation, if either of the redirect nodes 512A and 512B fails or is overwhelmed, then traffic may be routed by proxy gateway 506 to the hardware node 512C. In some cases, the software nodes may simply stop announcing their IP subnets and the traffic falls back to the hardware node.

Further, at any given instance additional redirect nodes 512 may be created and assigned with different subnets. In some cases, a single redirect node 512A may be configured to process IP traffic associated with a single IP address. For example, IP packets for resource 508 may be routed via redirect node 512A. The use of multiple redirect nodes 512 provides inherent balancing.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

FIG. 7 is a flow diagram illustrating method 700 for encrypted redirection of IP traffic from clients in public IP subnets, in accordance with a preferred embodiment of the invention. In an embodiment, steps of method 700 may be performed by redirect node 512 in the IP subnet of proxy gateway 506.

At step 702, proxy gateway 506 may receive IP packets redirected by CDN server 510 after authentication of the source. CDNs improve server performance by using a distributed network of servers to deliver service availability to users. Because CDNs reduce server load, they reduce server costs and are well-suited to handling traffic spikes. For example, all the static content for a banking web page can be distributed by CDN. Only after executing the login and redirect can the user interact with banking APIs. Those APIs exist on the resource 508 behind the proxy gateway 506.

For IP traffic directed towards a resource 508, the source may be redirected to a secure network (CDN) from a public web server, using standard DNS server 504. CDN server 510 may authenticate the source using tokens, cookies, auth exchange, and client certificates. During operation, successful authentication results in the redirection of IP packets from the source to proxy gateway 506.

At step 704, proxy gateway 506 may generate a cryptographic hash by encrypting the IP packets using a secret, protocol, client IP address, and resource IP address and port, wherein the cryptographic hash may be mapped into existing IP packet address, port, or payload bits. This mapping of the cryptographic hash (unique to the client) with encryption of resource 508.

It is important to identify which bits go where in the mapping. For example, if the public subnet is IPV4: 123.45.0.0/16, there are 16 IP bits and 16 UDP/TCP port bits to utilize. A mapping for the first 8 bits of that space, or 123.45.ZZ.00/16, and another for the second eight bits 123.45.00.XX and mapping may also be present in the 16-bit port number XXXX. Redirect node 512 may extract the correct bits for a server IP address and port number based on the mapping. In some variants a first mapping 123.45.ZZ.00 may be provisioned to ISPs, with a longer duration (say 2-10 days), and the second mapping 123.45.00.XX may be provisioned to ISP with a shorter duration (hours). This way, an ISP can filter the traffic based only on the 8 ZZ or 8 XX bits.

At step 706, the IP packets are redirected to an IP subnet of the proxy server 506. In an example, the IP packets route the IP packets to redirect node 512B (IP subnet 123.45.0.0/17). For case of explanation redirect node 512B may be considered as an example of an external IP subnet address that routes the IP traffic.

At step 708, redirect node 512 may determine if the IP packets are valid. The cryptographic graphic hash may be unique to the source IP address of the source. When the IP packets are not from the source IP address present in the mapping, then at step 710, the IP packets are considered attackers and the IP packets are rejected. For example, if a bot were instructed to attack that 123.45.54.202 port 3674, from any other source IP address, it would be rejected. When responding to traffic that would be blocked, in addition to the rejection of the IP packets, logging or reporting may be also performed. For example, if an attacker can send TCP SYN packets, these would be dropped by a typical server without a service on that TCP port, and redirect node 512 may respond with a SYN/ACK, telling the attacker that the port is unavailable. The benefit may be that the attacker cannot simply ‘scan’ TCP IP/ports until they get a response. If every IP/port responds, then they need to waste resources performing a full TCP connection on every port. Any traffic that would be denied can be logged/reported, and then traffic redirected to a ‘honeypot’ where the attacker can interact with a decoy system designed to extract more information on the attack without reaching any production resources 508.

At step 712, redirect node 512B may decrypt the IP packets to determine a server IP address and port from the IP packet. Redirect node 512B may compare the server IP address and port extracted from the IP packet with information in the mappings 517.

At step 714, redirect node 512B may determine if the mapping identified in IP packets is stateless. In some variants redirect node 512B may support both stateless and stateful configurations. The stateless configuration benefits from scalability, and the stateful configuration may be useful for fine-grained protection. Mappings are for all connections between an external subnet (i.e. redirect node 512B) and resource 508.

When the processing is stateless, no reconnection is required, and at step 716, an address translation may be performed based on the mapping data. Redirect node 512 may be configured to route the IP traffic to a server IP address and port by mapping the client IP to an internal client IP address and port associated with server or other resource 508. This address translation allows traffic from the source to be routed to resource 508 via the assignment of internal IP/port assigned to the source.

Redirect node 512 may be configured to route the IP traffic to the resource 508 by mapping the client IP packets to an internal IP address and port associated with resource 508. Traffic from the source may be tunneled to resource 508 via internal IP/port assigned to the client public IP/port.

Each address translation to route IP packets between redirect node 512B and resource 508 may be based on mappings 517 data. At step 718, IP packets are routed to the resource IP and port from the redirected node 512B.

When the processing is not stateless, then at step 720, IP traffic may be tunneled to a stateful server 514. Redirect node 512B redirects the IP traffic to the stateful server 514. Stateful server 514 may be configured directly by the service admin using an API. The service admin can ‘create’ secure ‘rooms’ or ‘bubbles’.

At step 722, stateful server 514 records the client's IP address and port. At step 724, IP traffic may be routed to resource 508. When the first IP packet 1017 arrives, optionally, the client port may be recorded and lock that client to that slot or seat. If the client is eliminated, the service admin can eliminate that client's IP (and port) from the ‘room’, and then the client has no network access to the room. The client still has the valid IP/port for the duration of the mapping, which will allow those packets to traverse the redirect nodes 512, but they will be dropped at stateful server 514 before interfering with the remaining active clients in the room. The service admin can remove a client from a room, or delete a room with an API call. The advantage is that the mapping that is pushed to all the edge nodes does not change. In an example, a service admin was operating an online poker game, the ‘room’ would be created by API, clients' IPs would be added by API, and the clients redirected to the mapping public IP subnet. At step 724, IP packets are routed to the resource IP and port from stateful server 514.

In case of an attack at proxy gateway 506 or redirect nodes, the connections between redirect node 512 and resource 508 are terminated. The source needs to be reauthenticated and a new mapping using a new secret is created.

FIG. 8 is a sequence diagram 800 illustrating the interaction between various components in an IP network to redirect encrypted IP traffic to resource 508 via IP subnets, according to an embodiment of the invention. The components may include the source, proxy gateway 506, redirect nodes 512, CDN server 510, and resource 508.

The source transmits a client request 801 to the gateway. The client request 801 can e.g. be an HTTP request or a COAP request. The client request 801 may be a request to resource 508. Client request 801 comprises a first (unmodified) FQDN (Fully Qualified Domain Name) which may be a pointer to resource 508, e.g. www.facebook.com.

Client request 801 may be authenticated by CDN server 510. The source (e.g. a client device 502) may receive a CDN-based address to retrieve the landing page/authentication code at CDN server 510. CDN server 510 initiates the authentication 802 of the source. CDN server 510 may authenticate the source using tokens, cookies, auth exchange, and client certificates.

When the authentication operation 802 is successful the IP packets from the source are redirected to proxy subnet 506. First redirection 803 may be performed when the client can be authenticated (TLS cert, cookie, etc.), this ensures that only authenticated users can get the encrypted redirection. This also allows client authentications to optionally be paused/halted/rate limited for clients associated with attack traffic.

Proxy gateway 506 generates a combinational cryptographic hash. An encryption protocol may be used to encrypt 804 IP packets using a secret, client IP address, and resource 508’s IP address and port, wherein the cryptographic hash may be mapped into existing IP packet address, port, or payload bits. This cryptographic hash (unique to the client) includes a protocol and secret associated with the client and encrypted bits associated with resource 508 are present.

Once encrypted the IP packets are redirected for a second time to a redirect node 512 in the IP subnet of the proxy gateway 506. In second redirect 805, the IP packets from proxy gateway 506 get redirected to a redirect node 512.

Redirect node 512 validates the source, and decrypts the secret and destination service IP address and port from the IP packets. Redirect node 512 may be configured to translate 806 the client IP address to an IP address and port associated with resource 508 based on information available in mapping 517. This address translation of the client public IP/port to an internal IP address and port associated with resource 508 helps in routing IP packets from the source to a resource IP/port via redirect node 512.

Example Client to Resource 508

Client IP is 73.217.224.180. Resource 508 is www.facebook.com, and DNS server 504 resolves this to 157.240.18.35, or 2a03:2880: f127:283: face: b00c:0:25de. The client connects to these IPs, port 443, performs authentication, and gets redirected to the computed external server IP/port (redirect node 512). Assuming the secret is 0x01020304 (32 bits), Protocol is simple XOR (secret {circumflex over ()} SRCIP {circumflex over ()} (DESTIP+DESTPORT) where {circumflex over ()} =XOR and +=concatenation. designated random internal server IP/port: 10.02.02.02 port 32778 (+10), or 0x 0202020A, designated internal client IP/port: 4.45.01.01/1234, client: 73.217.224.180: port 12343.

External redirection server: 240.18.35 port 443, gets translated to a server of resource 508: 34.45.74.217 port: 57786, using internal client IP 34.45.01.01 port 1234 (internally reachable response address for outbound traffic, assigned arbitrarily). The packet computation is (0x01020304{circumflex over ()}49D9E0B4{circumflex over ()}0x0202020A) =4AD9 E1BA, 16 bits for IP: 34.45. (0x4A). (0xD9) Port: 0xE1BA

Example Client-to-Client Communication

One additional feature is to enable end client-to-client communications while protecting the client's public IP address. In gaming servers today, most lounge/chat-type features use the client's public IP address. In this case, each seat can be assigned a random value of length equal to or less than the available bits in the mapping.

When the first client wants to talk to a second client, the service can provide the second client with an IP address that is within the public subnet, but XORs in the first client and second client. So, the first client may have public IP 1.2.3.4, second client may have public IP 4.3.2.1. First client 1 may receive a mapping of 123.45.66.77 port 8899, and the second client may receive a mapping of 123.45.88.99 port 3344. These clients use those IP/port to access the server. Assuming we assign a random 8-bit value to first client (0x55) and a random 8-bit value to second client (0x29), then we select an 8-bit value of the mapping that we will ignore on the edge (say the highest 8 bits), and we can XOR the first client and the second client byte values with that bit, and provide that as the public IP/port for that one client to reach that one other client. Since the hash computed is based on the client's source IP, the value is different for each client, but when the hash is computed, the correct value for that byte is again XORed with the source client's byte, and the result is the byte of the client they want to connect with. Granted, this only provides one byte of protection, but any attempt to access any other value could be flagged on the first access, and the packets can be discarded, or the client can be disconnected.

FIG. 9 illustrates an exemplary IP network for extending the encoding bit space available, according to an embodiment of the present invention. IPV4/24 address has eight bits of address and 16 bits of ports. When additional bits are required, and the client supports it, encrypted bits can be placed into other payload protocols (like VLAN space, or VXLAN space). In cases where the client network does not have enough bits in the IP network and port bits, it may be possible to utilize additional bits in what is typically the payload of the TCP or UDP packet. An example would be to tag the traffic as VXLAN or VLAN and use those additional bits to store the encrypted value. In this case, the outer IP/UDP headers are the same, but the entire VXLAN header can be used to store encrypted bits. So, the packet is marked as VXLAN, and the encrypted value is mapped into the DEST IP, DEST PORT, and VXLAN 64 bits. When the packet is translated, the VXLAN information is removed, and a simple UDP connection is created internally. Any protocol contained in the UDP packets can be used. As many subsequent bytes as required may be used.

FIG. 10 illustrates one or more systems 1000 that interact with many mutually remote facilities 1020 via one or more networks 310, 1010 connected with one or more resources 508 protected according to one or more technologies described herein. In an embodiment, each device or other facility 1020 may include one or more instances of accesses 1011, of filters 1012, of bit sets 1016 relating to each packet 1017A-D, of hash result components suitable for “stuffing” such bit sets 1016, or of other operating parameters as described herein.

Various instances of system 1000 as shown, for example, can interact with or implement an above-described system 200, 300, 400, 600. Two facilities 1020A-B as shown may interact via cloud-based event-sequencing circuitry 1019 in one or more networks 310, 1010 spanning the Atlantic Ocean, either or both of which manages (an instance of) a vulnerable resource 508 as described herein. Such circuitry 1019 may comprise one or more integrated circuits (ICs), for example, optionally mounted on one or more circuit boards that implementing an event-sequencing structure as generally described in U.S. Pat. Pub. No. 2015/0094046 but configured as described herein. Transistor-based circuitry 1019 may (optionally) include one or more instances of implementation modules 1021 configured for local or other processing, for example, (each) including an electrical node set 1031 upon which informational data is represented digitally as a corresponding voltage configuration 1041. Transistor-based circuitry 1019 may likewise include one or more instances of filtering modules 1022 configured for local or other processing, for example, including an electrical node set 1032 upon which informational data is represented digitally as a corresponding voltage configuration 1042. Transistor-based circuitry 1019 may likewise include one or more instances of hashing modules 1023 configured for local or other processing, for example, including an electrical node set 1033 upon which informational data is represented digitally as a corresponding voltage configuration 1043. Transistor-based circuitry 1019 may (optionally) likewise include one or more instances of linking modules 1024 configured for local or other processing, for example, including an electrical node set 1034 upon which informational data is represented digitally as a corresponding voltage configuration 1044. Transistor-based circuitry 1019 may likewise include one or more instances of forwarding modules 1025 configured for local or other processing, for example, including an electrical node set 1035 upon which informational data is represented digitally as a corresponding voltage configuration 1045. Transistor-based circuitry 1019 may likewise include one or more instances of dissemination modules 1026 configured for local or other processing, for example, including an electrical node set 1036 upon which informational data is represented digitally as a corresponding voltage configuration 1046.

Referring again to FIGS. 1-10, protocols are presented herein for protecting resource availability. In an embodiment, transistor-based circuitry (e.g. one or more linking modules 1034) is remotely or otherwise invoked for established a first mapping that associates at least a first (service, application, website, server, repository, or other) resource 508 with network traffic (directly addressed to or otherwise) destined to a first IP subnet (see FIG. 6). Transistor-based circuitry (e.g. one or more implementation modules 1031) is likewise invoked for causing a first proxy gateway 506 to receive a first IP packet 1017A of the network traffic from a first source destined to the first IP subnet. Transistor-based circuitry (e.g. one or more hashing modules 1033) is remotely or otherwise invoked for causing a first hash result to be generated by encrypting or otherwise transforming a first digital identifier of the first source (e.g. of a client device 502) wherein one or more bits of the first hash result are effectively compared with a bit set of the first IP packet 1017A. Transistor-based circuitry (e.g. one or more filtering modules 1032) may likewise be invoked so as to cause the first proxy gateway 506 to respond conditionally to (a determination of) the one or more bits of the first hash result matching with the bit set of the first IP packet 1017A by giving the first IP packet 1017A a selective first access to the first resource 508. Alternatively, or additionally, transistor-based circuitry (e.g. one or more forwarding modules 1035) may cause an implementation of the selective first access by modifying at least part of the bit set of the first IP packet 1017A whereby the first IP packet 1017A is redirected to the first resource 508.

Although various operational flows are described in a sequence(s), it should be understood that the various operations may be performed in other orders than those which are illustrated or may be performed concurrently. Examples of such alternate orderings may include overlapping, interleaved, interrupted, reordered, incremental, preparatory, supplemental, simultaneous, reverse, or other variant orderings, unless context dictates otherwise. Furthermore, terms like “responsive to,” “related to,” or other past-tense adjectives are generally not intended to exclude such variants, unless context dictates otherwise.

While various system, method, article of manufacture, or other embodiments or aspects have been disclosed above, also, other combinations of embodiments or aspects will be apparent to those skilled in the art in view of the above disclosure. The various embodiments and aspects disclosed above are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated in the final claim set that follows.

In the numbered clauses below, first combinations of aspects and embodiments are articulated in a shorthand form such that (1) according to respective embodiments, for each instance in which a “component” or other such identifiers appear to be introduced (e.g., with “a” or “an,”) more than once in a given chain of clauses, such designations may either identify the same entity or distinct entities; and (2) what might be called “dependent” clauses below may or may not incorporate, in respective embodiments, the features of “independent” clauses to which they refer or other features described above.

The skilled person will be aware of a range of possible modifications of the various embodiments described above. Accordingly, the present invention is defined by the claims and their equivalents.